Are We Converged Yet?

Dan Geer once observed that "a fair percentage of risk management is naturally drawn to where the risks are unmanaged; and that sure as hell is information."

December 01, 2004 — CSO — Dan Geer, who applies his mathematical understanding of risk to problems of cybersecurity, once observed that "a fair percentage of risk management is naturally drawn to where the risks are unmanaged; and that sure as hell is information."

If the natural job of CSOs is to identify and address significant areas of unaddressed risk, we would expect their attention to focus powerfully on infosecurity. And yet, as security continues its evolutionary path toward, we believe, a converged model of governancethe blissful state of unification between infosec and traditional disciplinesit still founders on unproductive mistrust and legacy attitudes. (This is not the first column I have devoted to this topic, more like the third and probably not the last.)

We recently looked at a survey of CSO readers, conducted by an independent research firm whose main purpose was to measure the strength of responses to advertising and editorial content. Included in the report were verbatim comments from readers about their overall impressions of the magazine. Happily, most of those surveyed like us just fine. But interestingly, we discerned a greater tolerance among infosec types for coverage of noninfosec topicsand conversely, a marked intolerance among traditional security types for coverage of infosecurity. If Dan Geer is right, if security governance is largely a matter of risk management, shouldn't there be an insatiable hunger among all security executives for insight into the unaddressed risks of infosecurity?

These verbatims are admittedly an unscientific body of evidence. But they join with other aggregated conversations we've had with our readers, in which we hear way too many snarky rejoinders tossed across the divide between traditional and infosecurity camps. And camps are apparently what, too often, they are. Can someone please explain to me why this is?

The great importance of achieving convergence plays out in a public way within the Department of Homeland Security, where there has been a persistent struggle to give cybersecurity the weight it demands. Most recently, Amit Yoran resigned his post as DHS's cybersecurity czar. Though Yoran himself has declined to confirm that his departure was caused by frustrations over a lack of agency commitment to moving the cybersecurity agenda forward, others spoke freely about a climate of political backwatering in which Yoran's position was three levels removed from DHS Secretary Tom Ridge.

The point here is not to argue that cybersecurity ought to be given more prominence (though in many cases it should). It is to argue that security ought to be seen holistically, in which model cybersecurity would transcend its bucketed status. Indeed, considering IT or any other kind of security in isolation from the rest is a serious misunderstanding of the larger purposes of security as a broad strategic activity.